Fixes and render-helper

[feruzm]

Summary by CodeRabbit

• Bug Fixes

  • Improved rendering of release item content and more robust HTML handling for block-level tags
  • Safer/improved authentication handling for swap operations
  • Enhanced image extraction to recognize additional hosts and RAW formats
  • Updated embedded video source URL handling for third‑party videos

• Tests

  • Added tests covering RAW images, proxied images, and mixed-image content

• Chores

  • Bumped renderer and render-helper versions
  • Added a public type export and clarified type documentation

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Dependency/version updates and render-helper tweaks: type export added; markdown-to-HTML behavior adjusted (new block-tag fixer and 3Speak embed changes); render helper usage swapped to renderPostBody; image regexes expanded (.arw and images.ecency.com); small auth selection refactor for Hive Engine swaps; tests updated/added.

Changes

Cohort / File(s)	Summary
Dependency & Version Changes apps/web/package.json, packages/renderer/package.json, packages/render-helper/package.json	Bumped render-helper usage in apps/web to workspace:*; updated packages/renderer and packages/render-helper versions.
Render usage & helpers apps/web/src/app/decks/_components/columns/deck-whats-new-column.tsx, packages/render-helper/src/helper.ts, packages/render-helper/src/index.ts	Replaced markdownToHTML call with renderPostBody; createDoc now wraps HTML in <body> before parsing; added export type { Entry } (type-only).
Markdown → HTML improvements packages/render-helper/src/methods/markdown-to-html.method.ts, packages/render-helper/src/methods/markdown-to-html.method.spec.ts	Added fixBlockLevelTagsInParagraphs to remove erroneous <p> around block-level tags; new tests for block-level tag handling.
3Speak embed normalization packages/render-helper/src/methods/iframe.method.ts, packages/render-helper/src/methods/a.method.ts, packages/render-helper/src/methods/a.method.spec.ts, packages/render-helper/src/markdown-2-html.spec.ts, packages/render-helper/src/methods/iframe.method.spec.ts	Normalizes 3Speak URLs to 3speak.tv and removes automatic mode=iframe insertion; tests updated to expect new host/parameter behavior.
Image regexes & metadata extraction packages/render-helper/src/consts/regexes.const.ts, apps/web/src/utils/posting.ts, apps/web/src/specs/utils/posting.spec.ts	Added ECENCY_IMG_REGEX and .arw support in IMG_REGEX; extractMetaData now includes ecency-hosted images alongside extension-matched images; new/updated tests for .arw, ecency proxied URLs, and mixed inputs.
Local Entry type replacements packages/renderer/src/lib/api/hive.api.ts, packages/renderer/src/lib/components/extensions/wave-like-post-extension.tsx	Replaced external Entry imports with locally defined Entry interfaces preserving prior fields.
Swap auth selection refactor apps/web/src/features/market/market-swap-form/api/swapping.tsx	Resolve user first and build auth from it; derive Hive Engine method from user.loginType ("hiveauth" vs "keychain") and pass to swapEngine (refactor of inline auth/method logic).
Tests and small fixes packages/render-helper/src/methods/a.method.spec.ts, other spec files	Adjusted expectations for 3Speak embed URLs and autoplay behavior; miscellaneous spec updates to match behavior changes.

Sequence Diagram(s)

(Skipped — changes are refactors, parsing/regex updates, type exports, and tests; no new multi-component sequential flow requiring visualization.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Engine/SPK to SDK #608 — Modifies market swapping auth/method selection logic similar to swap auth refactor in swapping.tsx.
• Render helper migration #615 — Related migration/consumption of @ecency/render-helper (renderPostBody usage and Entry type export).
• Tests for SDK, Renderer and Wallets #616 — Overlapping changes in renderer/render-helper (3Speak embed normalization, regex and helper updates).

Poem

🐰 I hopped through types and regex anew,
Wrapping bodies, fixing blocks, and embeds too,
ARW and ecency images now in view,
Auth paths tidy, local Entry snug and true,
A tiny rabbit cheers — commit and chew!

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Fixes and render-helper' is vague and non-descriptive, using generic language that doesn't convey meaningful information about the changeset's primary changes.	Use a more specific title that highlights the main change, such as 'Update render-helper exports and fix 3Speak embed URLs' or 'Refactor auth context and add Entry type export'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 321d21a and 2ca07e6.

⛔ Files ignored due to path filters (6)

• packages/render-helper/dist/browser/index.js is excluded by !**/dist/**
• packages/render-helper/dist/browser/index.js.map is excluded by !**/dist/**, !**/*.map
• packages/render-helper/dist/node/index.cjs is excluded by !**/dist/**
• packages/render-helper/dist/node/index.cjs.map is excluded by !**/dist/**, !**/*.map
• packages/render-helper/dist/node/index.mjs is excluded by !**/dist/**
• packages/render-helper/dist/node/index.mjs.map is excluded by !**/dist/**, !**/*.map

📒 Files selected for processing (8)

• packages/render-helper/src/helper.ts
• packages/render-helper/src/markdown-2-html.spec.ts
• packages/render-helper/src/methods/a.method.spec.ts
• packages/render-helper/src/methods/a.method.ts
• packages/render-helper/src/methods/iframe.method.spec.ts
• packages/render-helper/src/methods/iframe.method.ts
• packages/render-helper/src/methods/markdown-to-html.method.spec.ts
• packages/render-helper/src/methods/markdown-to-html.method.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/render-helper/src/methods/a.method.ts
• packages/render-helper/src/methods/a.method.spec.ts

🧰 Additional context used

🧬 Code graph analysis (3)

packages/render-helper/src/methods/markdown-to-html.method.spec.ts (1)

packages/render-helper/src/methods/markdown-to-html.method.ts (1)

• markdownToHTML (68-206)

packages/render-helper/src/methods/iframe.method.spec.ts (1)

packages/render-helper/src/methods/iframe.method.ts (1)

• iframe (3-190)

packages/render-helper/src/methods/iframe.method.ts (3)

packages/render-helper/dist/node/index.cjs (7)

• normalizedSrc (1004-1004)
• normalizedSrc (1093-1093)
• src (343-343)
• src (834-834)
• src (879-879)
• src (971-971)
• src (1458-1458)

packages/render-helper/dist/browser/index.js (7)

• normalizedSrc (992-992)
• normalizedSrc (1081-1081)
• src (331-331)
• src (822-822)
• src (867-867)
• src (959-959)
• src (1446-1446)

packages/render-helper/dist/node/index.mjs (7)

• normalizedSrc (995-995)
• normalizedSrc (1084-1084)
• src (334-334)
• src (825-825)
• src (870-870)
• src (962-962)
• src (1449-1449)

🪛 ast-grep (0.40.5)

packages/render-helper/src/methods/markdown-to-html.method.ts

[warning] 43-43: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(<p>(<(?:${blockTags})(?:\\s[^>]*)?>)<\\/p>, 'gi')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 48-48: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(<p>(<\\/(?:${blockTags})>)<\\/p>, 'gi')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 53-53: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(<p>(<(?:${blockTags})(?:\\s[^>]*)?>)(?:<br>)?\\s*, 'gi')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

---

[warning] 57-57: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(\\s*(?:<br>)?\\s*(<\\/(?:${blockTags})>)<\\/p>, 'gi')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

🔇 Additional comments (7)

packages/render-helper/src/helper.ts (1)

9-13: The wrapping approach is sound for handling markdown-generated HTML fragments.

The use of <body> tags to handle multiple root elements from markdownToHTML is a reasonable solution. All usages show createDoc is called with HTML fragments (e.g., output from markdown2Html), not full HTML documents. The test suite and production code in catch-post-image.ts confirm that inputs like <h1>Title</h1><p>content</p> are expected, not documents with existing <body> tags, so the nested body element edge case is not a concern.

packages/render-helper/src/markdown-2-html.spec.ts (1)

427-427: Test expectations correctly updated for 3Speak embed URL changes.

The removal of mode=iframe from the expected data-embed-src URLs aligns with the implementation changes in iframe.method.ts and a.method.ts, where the 3Speak embed handling was simplified to normalize to 3speak.tv without enforcing the mode=iframe parameter.

Also applies to: 439-439

packages/render-helper/src/methods/markdown-to-html.method.spec.ts (1)

701-807: Well-structured test suite for block-level HTML tag handling.

The new tests comprehensively cover:

• <center> and <div> tags with blank lines that previously caused paragraph wrapping issues
• 3Speak embeds within center tags
• Nested block-level tags with balanced tag verification
• Inline tags (<span>) correctly remaining inside paragraphs
• Table tags not being wrapped

The tag-counting approach using regex provides a reliable validation of balanced opening/closing tags.

packages/render-helper/src/methods/iframe.method.spec.ts (1)

351-415: Tests correctly updated for simplified 3Speak embed handling.

The test updates properly verify:

• Domain normalization from 3speak.co and 3speak.online to 3speak.tv
• Removal of mode=iframe requirement in favor of autoplay=true
• Preservation of existing query parameters
• Protocol-relative URL handling

These changes are consistent with the implementation updates in iframe.method.ts.

packages/render-helper/src/methods/markdown-to-html.method.ts (2)

38-66: Well-documented helper function for fixing block-level tag wrapping.

The fixBlockLevelTagsInParagraphs function effectively addresses Remarkable's known issue with wrapping block-level tags in <p> elements. The approach using sequential regex patterns is pragmatic.

Regarding the static analysis warnings about ReDoS: these are false positives because blockTags is a hardcoded constant string (not user input), and the regex patterns use bounded quantifiers without nested repetition.

---

140-143: Good placement of the block-level tag fix.

Calling fixBlockLevelTagsInParagraphs immediately after md.render(input) ensures the HTML is repaired before DOM parsing, preventing "Opening and ending tag mismatch" errors from DOMParser.

packages/render-helper/src/methods/iframe.method.ts (1)

55-60: No changes needed. The SPEAK_EMBED_REGEX requires all matching URLs to contain a query parameter (\/embed\?[^/]+$), guaranteeing that normalizedSrc will always have at least one ? in the URL. Therefore, appending &autoplay=true at line 59 is safe and will never produce a malformed URL.

Likely an incorrect or invalid review comment.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

apps/web/src/features/market/market-swap-form/api/swapping.tsx (2)

113-121: Potential method/auth mismatch when shouldUseHiveAuth returns true but loginType differs.

The comment states this avoids method/auth mismatch, but getSdkAuthContext (line 17-18 in the relevant snippet) sets up HiveAuth broadcast when either loginType === "hiveauth" or shouldUseHiveAuth(user.username) is true.

If shouldUseHiveAuth(username) returns true but user.loginType is not "hiveauth", then:

• auth will be configured with HiveAuth broadcast
• method will be "keychain" (line 115)

This creates the exact mismatch the comment claims to avoid.

Suggested fix to align method selection with auth setup

     // Use actual loginType instead of shouldUseHiveAuth to avoid method/auth mismatch
-    const method = user?.loginType === "hiveauth" ? "hiveauth" : "keychain";
+    const method = user?.loginType === "hiveauth" || (user && shouldUseHiveAuth(user.username)) ? "hiveauth" : "keychain";

Alternatively, if the intent is to stop using shouldUseHiveAuth for this flow, then getSdkAuthContext should also be updated to not use it when called from here, or a different auth context construction should be used.

---

13-13: Remove unused import shouldUseHiveAuth.

This import is no longer used after the refactor that changed line 114 to use loginType directly. The comment in the code explicitly documents this: "Use actual loginType instead of shouldUseHiveAuth to avoid method/auth mismatch."

packages/renderer/src/lib/components/extensions/wave-like-post-extension.tsx (1)

112-115: hydrateRoot is intended for hydrating server-rendered HTML, not for rendering into empty containers.

hydrateRoot expects the container to already have server-rendered HTML that matches the React component tree. Here you're creating a new empty <div> and rendering into it, which is the use case for createRoot.

🐛 Proposed fix

-import { hydrateRoot } from "react-dom/client";
+import { createRoot } from "react-dom/client";

-        hydrateRoot(
+        createRoot(container).render(
-          container,
           <WaveLikePostRenderer link={element.getAttribute("href") ?? ""} />,
         );

🧹 Nitpick comments (3)

apps/web/src/app/decks/_components/columns/deck-whats-new-column.tsx (1)

44-45: Consider logging or handling fetch errors.

The empty catch block silently swallows errors. Consider logging the error for debugging purposes.

Suggested improvement

     } catch (e) {
+      console.error("Failed to fetch releases:", e);
     } finally {

packages/renderer/src/lib/api/hive.api.ts (1)

1-7: Consider importing Entry from @ecency/render-helper to avoid duplication.

This local interface duplicates the canonical Entry interface from packages/render-helper/src/types/entry.interface.ts, which is now exported publicly from the package (see packages/render-helper/src/index.ts line 20). The same duplicate interface also appears in wave-like-post-extension.tsx.

Importing from the shared package would reduce maintenance burden and ensure type consistency.

♻️ Suggested refactor

-interface Entry {
-  author?: string;
-  permlink?: string;
-  last_update?: string;
-  body: any;
-  json_metadata?: any;
-}
+import type { Entry } from "@ecency/render-helper";

packages/renderer/src/lib/components/extensions/wave-like-post-extension.tsx (1)

11-17: Same duplication as hive.api.ts — consider a shared import.

This is the same Entry interface defined locally in hive.api.ts. Since @ecency/render-helper now exports Entry publicly, both files could import from the shared package to maintain a single source of truth.

♻️ Suggested refactor

-interface Entry {
-  author?: string;
-  permlink?: string;
-  last_update?: string;
-  body: any;
-  json_metadata?: any;
-}
+import type { Entry } from "@ecency/render-helper";

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 396e4bc and 81d0e76.

⛔ Files ignored due to path filters (3)

• packages/render-helper/dist/browser/index.d.ts is excluded by !**/dist/**
• packages/renderer/dist/lib/api/hive.api.d.ts is excluded by !**/dist/**
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• apps/web/package.json
• apps/web/public/sw.js
• apps/web/src/app/decks/_components/columns/deck-whats-new-column.tsx
• apps/web/src/features/market/market-swap-form/api/swapping.tsx
• packages/render-helper/src/index.ts
• packages/render-helper/src/types/entry.interface.ts
• packages/renderer/package.json
• packages/renderer/src/lib/api/hive.api.ts
• packages/renderer/src/lib/components/extensions/wave-like-post-extension.tsx

🧰 Additional context used

🧬 Code graph analysis (3)

packages/renderer/src/lib/components/extensions/wave-like-post-extension.tsx (3)

packages/render-helper/src/index.ts (1)

• Entry (21-21)

packages/render-helper/src/types/entry.interface.ts (1)

• Entry (4-10)

packages/render-helper/dist/browser/index.d.ts (1)

• Entry (35-35)

apps/web/src/features/market/market-swap-form/api/swapping.tsx (1)

apps/web/src/utils/sdk-auth.ts (1)

• getSdkAuthContext (6-46)

packages/renderer/src/lib/api/hive.api.ts (3)

packages/render-helper/src/index.ts (1)

• Entry (21-21)

packages/render-helper/src/types/entry.interface.ts (1)

• Entry (4-10)

packages/render-helper/dist/browser/index.d.ts (1)

• Entry (35-35)

🪛 Biome (2.1.2)

apps/web/src/app/decks/_components/columns/deck-whats-new-column.tsx

[error] 82-82: Avoid passing content using the dangerouslySetInnerHTML prop.

Setting content using code can expose users to cross-site scripting (XSS) attacks

(lint/security/noDangerouslySetInnerHtml)

🔇 Additional comments (9)

apps/web/src/features/market/market-swap-form/api/swapping.tsx (1)

89-93: Auth context construction looks good.

The two-step approach of first resolving the user, then building the auth context is cleaner and more explicit than chaining.

packages/render-helper/src/types/entry.interface.ts (1)

1-10: LGTM on the JSDoc addition.

The documentation clarifies the interface purpose. Consider using string for body and string | Record<string, unknown> for json_metadata instead of any for better type safety, though the current approach may be intentional for flexibility with varying Hive post structures.

packages/renderer/package.json (1)

3-3: LGTM on version bump and dependency update.

The package version increment to 1.4.4 and the @ecency/render-helper update to ^2.4.4 are consistent with the changes across the monorepo.

Also applies to: 47-47

packages/render-helper/src/index.ts (1)

8-8: LGTM on the type export.

The type-only import and export pattern is correctly implemented, making Entry available to package consumers without any runtime overhead.

Also applies to: 20-21

apps/web/package.json (1)

20-20: LGTM on the dependency update.

The @ecency/render-helper version is consistent with the update in packages/renderer/package.json.

apps/web/src/app/decks/_components/columns/deck-whats-new-column.tsx (2)

6-6: LGTM on the import update.

The switch from markdownToHTML to renderPostBody aligns with the render-helper package API.

---

80-83: XSS sanitization is properly implemented via the xss library.

The renderPostBody function applies comprehensive XSS protection through a custom sanitizeHtml method (in packages/render-helper/src/methods/sanitize-html.method.ts) that uses the xss library with:

• Whitelist-based tag and attribute filtering (ALLOWED_ATTRIBUTES)
• Event handler blocking (attributes starting with on are stripped)
• JavaScript URL blocking in src attributes
• Style attributes entirely disabled
• ID validation against a regex whitelist

Sanitization is applied both during markdown processing (as pre-sanitization for malformed HTML) and as final output processing before returning from markdownToHTML. The GitHub release markdown is therefore safely protected against XSS injection.

packages/renderer/src/lib/api/hive.api.ts (1)

9-24: LGTM!

The caching logic and API call are straightforward. The cache key pattern and type assertion are appropriate for this use case.

packages/renderer/src/lib/components/extensions/wave-like-post-extension.tsx (1)

19-51: Component logic looks good overall.

The URL parsing, caching via getCachedPost, and host detection logic are reasonable. Minor observations:

• Line 20: title in the state type (Entry & { title: string }) is never used in the render output.
• Line 48: The as any cast loses type safety; this could be avoided if the API returns a properly typed response.

These are minor and don't affect functionality.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/render-helper/src/methods/a.method.ts`:
- Around line 694-697: The assigned embed URL is wrong: replace the legacy watch
URL assigned to videoHref with the proper 3Speak iframe embed endpoint; set
videoHref to "https://play.3speak.tv/embed?v=${match[3]}&mode=iframe" (using the
same match[3]) so the value stored in data-embed-src is valid for iframe
embedding while leaving el.setAttribute('class', ...) and
el.setAttribute('data-embed-src', videoHref) intact.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e8f82c4 and 45631c2.

⛔ Files ignored due to path filters (6)

• packages/render-helper/dist/browser/index.js is excluded by !**/dist/**
• packages/render-helper/dist/browser/index.js.map is excluded by !**/dist/**, !**/*.map
• packages/render-helper/dist/node/index.cjs is excluded by !**/dist/**
• packages/render-helper/dist/node/index.cjs.map is excluded by !**/dist/**, !**/*.map
• packages/render-helper/dist/node/index.mjs is excluded by !**/dist/**
• packages/render-helper/dist/node/index.mjs.map is excluded by !**/dist/**, !**/*.map

📒 Files selected for processing (3)

• packages/render-helper/src/markdown-2-html.spec.ts
• packages/render-helper/src/methods/a.method.spec.ts
• packages/render-helper/src/methods/a.method.ts

🔇 Additional comments (2)

packages/render-helper/src/methods/a.method.spec.ts (1)

1047-1060: LGTM!

The test expectation correctly aligns with the implementation change in a.method.ts. The test properly verifies that 3Speak links are processed with the new URL format.

packages/render-helper/src/markdown-2-html.spec.ts (1)

420-442: LGTM!

The test expectations for 3Speak video handling (tests 26 and 27) are correctly updated to reflect the new embed URL format. Both tests cover different 3Speak TLD variations and properly verify the URL transformation.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}